Task
task1
Task
task2
General
-
Target
wannacry.exe
-
Sample
190618-d2rp92kzkx
-
SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
Score
N/A
Malware Config
Signatures
-
Sets file to hidden 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 13 IoCs
description pid PID 1136 wrote to memory of 1156 1156 PID 1136 wrote to memory of 1940 1940 PID 1136 wrote to memory of 1772 1772 PID 1136 wrote to memory of 1112 1112 PID 1136 wrote to memory of 1560 1560 PID 1136 wrote to memory of 2040 2040 PID 1136 wrote to memory of 1480 1480 PID 1136 wrote to memory of 1288 1288 PID 1136 wrote to memory of 820 820 PID 1136 wrote to memory of 1996 1996 PID 1136 wrote to memory of 588 588 PID 1136 wrote to memory of 1008 1008 PID 1136 wrote to memory of 592 592 -
Modifies file permissions 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Executes dropped EXE 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 1112 wrote to memory of 1176 1176 -
Loads dropped DLL 1 TTPs
-
Drops startup file 1 IoCs
description C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD8C1.tmp -
Modifies control panel 1 IoCs
description \REGISTRY\USER\S-1-5-21-1548117458-596549244-604853198-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" -
Executes dropped EXE 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 2040 wrote to memory of 1940 1940 -
Executes dropped EXE 1 TTPs
-
Suspicious use of SetWindowsHookEx 1 TTPs
-
Suspicious use of SetWindowsHookEx 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 1560 wrote to memory of 1816 1816 -
Executes dropped EXE 1 TTPs
-
Loads dropped DLL 1 TTPs
-
Suspicious behavior: EnumeratesProcesses
-
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 1940 wrote to memory of 1956 1956 -
Interacts with shadow copies 2 TTPs
-
Suspicious use of WriteProcessMemory 1 TTPs 2 IoCs
description pid PID 1956 wrote to memory of 208 208 PID 1956 wrote to memory of 412 412 -
Suspicious use of AdjustPrivilegeToken 1 TTPs 3 IoCs
description Token: SeBackupPrivilege Token: SeRestorePrivilege Token: SeAuditPrivilege -
Modifies service 2 TTPs 4 IoCs
description \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer -
Deletes shadow copies 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 1 TTPs 20 IoCs
description Token: SeIncreaseQuotaPrivilege Token: SeSecurityPrivilege Token: SeTakeOwnershipPrivilege Token: SeLoadDriverPrivilege Token: SeSystemProfilePrivilege Token: SeSystemtimePrivilege Token: SeProfSingleProcessPrivilege Token: SeIncBasePriorityPrivilege Token: SeCreatePagefilePrivilege Token: SeBackupPrivilege Token: SeRestorePrivilege Token: SeShutdownPrivilege Token: SeDebugPrivilege Token: SeSystemEnvironmentPrivilege Token: SeRemoteShutdownPrivilege Token: SeUndockPrivilege Token: SeManageVolumePrivilege Token: 33 Token: 34 Token: 35 -
Executes dropped EXE 1 TTPs
-
Executes dropped EXE 1 TTPs
-
Executes dropped EXE 1 TTPs
-
Suspicious use of SetWindowsHookEx 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeTcbPrivilege -
Modifies control panel 1 IoCs
description \REGISTRY\USER\S-1-5-21-1548117458-596549244-604853198-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" -
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid PID 1996 wrote to memory of 412 412 -
Adds Run entry to start application 2 TTPs 2 IoCs
description \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\unnfcwkalkwice160 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\"" -
Executes dropped EXE 1 TTPs
-
Executes dropped EXE 1 TTPs
-
Executes dropped EXE 1 TTPs
-
Suspicious use of SetWindowsHookEx 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeTcbPrivilege -
Drops file in system dir 2 IoCs
description C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat -
Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeShutdownPrivilege -
wannacry family